Like it is stated, you are sending 2 parameters on the request with the same name, one from the query string and another on the body.

Now it is up to you to either validate that no parameter is coming from the query string or read directly values from the request body.

网友答案:

Did you check what request.getAttribute() returns?

Anyway you can't avoid that people will try to send you evil data, either in the url or by tinkering with the post-request.

So when you work with input from a website, always imagine a hacker sitting on the other side and sending you evil content in your parameters, like sql-injections. So you need a good validation to only let good content through to your database.

Because it's not your problem if a user enters his username as a parameter in the url. Let him have the fun, if he prefers this way over the input-field. The hackers are the problem.

网友答案:

I think it is a problem of front end code, instead of servlet. Any post request submission from UI should strip query string.

网友答案:

You can read both of them using getParameterValues, the first one is query string and the second one is post body. Now you can decide which one to use.
String[] lines = request.getParameterValues("name");